incredibly fucked up privacytools.io still recommends nextcloud
@tuxcrafting i just think recommending unencrypted cloud storage on a privacy-focused site is a terrible idea + nextcloud is a buggy piece of shit
@animeirl @tuxcrafting but security and privacy are two different concepts.
@xiao @tuxcrafting unencrypted data is not private
@animeirl @tuxcrafting I would argue that unencrypted data I have on an inaccessible storage unit is private.
@xiao @tuxcrafting i would argue that that is only ever arguably the case if said storage is not connected to the internet
@animeirl @tuxcrafting now I have to ask - what part of nextcloud is "unencrypted" in a way that makes a practical difference to privacy?
@xiao @tuxcrafting all your data is stored either unencrypted or encrypted with a server-side key meaning anyone with access to the server can view all your data (vps provider, people in your house if it's a local machine, hackers who gain access to the system in any other way)
@animeirl @tuxcrafting for which hosting project is this not the case? And how do you propose nextcloud to solve the problem?
@xiao @tuxcrafting end to end (client-side) encryption. data is encrypted and decrypted on the local device and only ever stored in the cloud encrypted. encryption keys are only ever stored locally as well (derived from the user's password) The other cloud provider listed on privacytools, S4, makes use of this as well as several other cloud storage providers such as mega, keybase, sync.com and others.
@animeirl @tuxcrafting that is unfortunately at odds with regulations in many countries where you as a company have to take ownership over the data you host (remember that a big part of nextcloud's users are companies). In that sense I agree that the users of the deployed system doesn't have a proper expectation of privacy, but the users (companies) of the product (nextcloud) can have their privacy. I don't see any solution to this though.
@animeirl @tuxcrafting if you base your company on nextcloud in the EU, then you have to be be sure that your coworkers don't store customer information in violation with GDPR - just as a quick example.
@xiao @tuxcrafting The company account would have access to the encryption keys. The cloud provider wouldn't. mega and sync, and s4 are all gdpr compliant
@animeirl @tuxcrafting then I am not aware of what encryption scheme they are using :)
@xiao @tuxcrafting What countries are you referring to? There are numerous cloud hosting providers around the world that offer end to end encryption. privacytools.io is based in france where e2e encryption is definitely legal. There are only a handful of authoritarian dictatorships that ban e2e encryption.